[Smcwg-public] [EXTERNAL]-Re: Use of the certificateHold CRLreason for leaf certificates

Ben Wilson bwilson at mozilla.com
Fri Sep 2 15:04:17 UTC 2022


All,
A way to resolve this, potentially, is to treat the S/MIME Baseline
Requirements as a Certificate Policy. I think we already do that somewhat
with some of the language in the S/MIME BRs.
Ben

On Fri, Sep 2, 2022 at 8:50 AM Tim Hollebeek via Smcwg-public <
smcwg-public at cabforum.org> wrote:

> I get what Russ is saying now.
>
>
>
> What Russ has a problem with, and you and I don’t, is if a CA has both a
> CP and a CPS, but discusses suspension only in the CPS but not the CP.  And
> I can see why he might have a problem with that, as the CPS is supposed to
> describe the practices that meet the policy in the CP, and if the
> suspension practices described in the CPS don’t map to any policy
> requirements in the CP, then what are they there for?  And he kinda sorta
> has a point.
>
>
>
> The reason I don’t have a problem with it after thinking for it a bit, is
> that the CP might discuss the policy by reference, and not explicitly, for
> example by stating something like “certificates issued under this CP comply
> with the requirements of the S/MIME BRs version 1.0”.  And it would make
> perfect sense if the CPS then described the CAs suspension practices, to
> demonstrate how they comply with the requirements of those BRs.  Whether
> one would say that the CP describes suspension in this case is subject to
> interpretation, but I’m guessing Russ would argue that it does (by
> preference).
>
>
>
> The other reason I don’t have a problem with it is because in the event
> that you are doing something wrong here, you’re already violating various
> requirements about what should appear in CPs and CPSs, and trying to fix
> that in this particular requirement is a bit difficult.
>
>
>
> I suppose we could write something like “in the CPS (and CP, if
> necessary)”.  That, I think, matches the intent of the requirement, which
> was to make sure that everyone’s suspension practices is described in their
> CPS.  And it also addresses Russ’s concern that being silent on this in
> your CP is also probably not something you want to do, if you have one.
>
>
>
> -Tim
>
>
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of *Pedro
> FUENTES via Smcwg-public
> *Sent:* Friday, September 2, 2022 10:13 AM
> *To:* Russ Housley <housley at vigilsec.com>
> *Cc:* SMIME Certificate Working Group <smcwg-public at cabforum.org>
> *Subject:* Re: [Smcwg-public] [EXTERNAL]-Re: Use of the certificateHold
> CRLreason for leaf certificates
>
>
>
> Russ:
>
> Unless I missed some message Tim said that and/or means “that it can be in
> the CP and the CPS, or just the CP, or just the CPS”. This is the same I
> said.
>
>
>
> Something to consider is that, eventually, the CP could state that the CA
> will stipulate the provisions around suspension in the CPS.
>
>
>
> So all depends how the documents are written, but the key point here is
> that, for any kind of stipulation, CP and CPS must be consistent.
>
>
>
> Best,
>
> Pedro
>
>
>
>
>
> On 2 Sep 2022, at 15:58, Russ Housley <housley at vigilsec.com> wrote:
>
>
>
> Pedro:
>
>
>
> Please see the analysis by Tim.  As I said, I am not content with is only
> appearing in a CPS.  If it appears in a document that serves as both a CP
> and a CPS, that is acceptable to me.
>
>
>
> Russ
>
>
>
>
>
> On Sep 2, 2022, at 1:40 AM, Pedro FUENTES <pfuentes at WISEKEY.COM> wrote:
>
>
>
> Hi Russ,
>
> The traditional interpretation of and/or is actually “or”, from a logical
> perspective.
>
> Anyway, if I’m wrong I’m happy to be corrected.
>
> BR/P
>
>
>
> Le 1 sept. 2022 à 22:10, Russ Housley <housley at vigilsec.com> a écrit :
>
> Pedro:
>
>
>
> Which means that it could be only be in the CPS and not in the CP.  I
> could live with "and".  I think "and/or" is what causes the problem.
>
>
>
> Russ
>
>
>
>
>
> On Sep 1, 2022, at 3:50 PM, Pedro FUENTES <pfuentes at WISEKEY.COM> wrote:
>
>
>
> Well.. I could be wrong as I’m using my mobile, but I thought I saw in
> GitHub “CP and/or CPS”
>
>
>
> Le 1 sept. 2022 à 21:24, Russ Housley <housley at vigilsec.com> a écrit :
>
>  Pedro:
>
>
>
> In my view, the current wording would allow a CA to only discuss
> suspension in the CPS, even if that CA has both a CP and a CPS.  That seems
> wrong to me.
>
>
>
> Russ
>
>
>
>
>
> On Sep 1, 2022, at 3:13 PM, Pedro FUENTES <pfuentes at WISEKEY.COM> wrote:
>
>
>
> Although we do, not all CAs have separate CP and CPS. The wording must be
> flexible.
>
>
>
> Le 1 sept. 2022 à 21:07, Russ Housley via Smcwg-public <
> smcwg-public at cabforum.org> a écrit :
>
>  Stephen:
>
>
>
> I would strongly prefer that any use of suspension be described in the CP
> (not the CPS).
>
>
>
> Russ
>
>
>
>
>
> On Sep 1, 2022, at 11:54 AM, Stephen Davidson via Smcwg-public <
> smcwg-public at cabforum.org> wrote:
>
>
>
> Hello:
>
>
>
> Following active discussion relating to suspension for leaf certificates
> by the WG, it was agreed to document the use of suspension for the Legacy
> and Multipurpose certificate generations.
>
> There were arguments regarding the appropriateness of certificateHold in
> the context of S/MIME, and its effectiveness in the face of limited client
> support.
>
> However, suspension is permitted by some other standards and regulations,
> and is used by CAs for S/MIME-capable certificates in some regions.
>
> It is likely that future ballots may further amend these Requirements
> relating to suspension.
>
> A draft of the changes may be found at
> https://github.com/cabforum/smime/commit/347eb1b93e1ac5b2ceb13692ce958b6ebd5af5ff
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_smime_commit_347eb1b93e1ac5b2ceb13692ce958b6ebd5af5ff&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=tqhseCjhGy1A7E44VMn6WzaiveyVhTw1OH3Hqh75XMA&s=QA7hqsdMpnHwMPA2pcup2gL9nERRGC0S4brZ42fCVuY&e=>
>
>
>
> Regards, Stephen
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=tqhseCjhGy1A7E44VMn6WzaiveyVhTw1OH3Hqh75XMA&s=DMu9IJhPx628INsjWMRc2MyGOOA7IeBKkXH3Zai7648&e=>
>
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=tqhseCjhGy1A7E44VMn6WzaiveyVhTw1OH3Hqh75XMA&s=DMu9IJhPx628INsjWMRc2MyGOOA7IeBKkXH3Zai7648&e=
>
>
>
>
>
> <signature.asc>
>
>
>
>
>
>
> * WISeKey SA*
>
>
> *Pedro Fuentes *CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00
> Mobile: + 41 (0) 791 274 790
>
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
>
>
> *Stay connected with WISeKey <http://www.wisekey.com> *
>
> *THIS IS A TRUSTED MAIL*: This message is digitally signed with a WISeKey
> identity. If you get a mail from WISeKey please check the signature to
> avoid security risks
>
>
>
> *CONFIDENTIALITY: *This email and any files transmitted with it can be
> confidential and it’s intended solely for the use of the individual or
> entity to which they are addressed. If you are not the named addressee
> you should not disseminate, distribute or copy this e-mail. If you have
> received this email in error please notify the sender
>
>
>
> *DISCLAIMER: *WISeKey does not warrant the accuracy or completeness of
> this message and does not accept any liability for any errors or
> omissions herein as this message has been transmitted over a public
> network. Internet communications cannot be guaranteed to be secure or
> error-free as information may be intercepted, corrupted, or contain
> viruses. Attachments to this e-mail are checked for viruses; however, we do
> not accept any liability for any damage sustained by viruses and therefore
> you are kindly requested to check for viruses upon receipt.
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220902/f8cd2118/attachment-0001.html>


More information about the Smcwg-public mailing list